fwsm basic question

Unanswered Question

hi! I've a few questions to verify with the configuration shown below.

1) i created a context called test-no-vrf(transparent mode) with vlan 240(outside) and 241(inside) created in the 6509 switch and i'm able to access the GUI using ASDM.  If i would to apply firewall rule in my test-no-vrf context (between my live svr's vlan(not vlan240 n 241) with my test vlan of 241), will this impact my live vlan's servers in another live-context? First of all, will i be able to add my live vlan subnet into my test-no-vrf's rules?

2) can i create another group for my test vlan 240 and 241 instead of joining to my live vlan in vlan-group3? What's the different of creating another vlan-group for test vlan 240 and 241 with my current setup below? Does that mean i will not be able to use rules that involve my live vlan/subnets' servers?

3) If i create a context with vrf (routing done within the vrf itself instead of going throug the msfc) + all the new vlans. Can these vlans be use in my live context? or it's localized within the context itself?


Cisco6509 Sw


svclc multiple-vlan-interfaces

svclc module 2 vlan-group 1,2

svclc vlan-group 1  108,202

svclc vlan-group 2  107

svclc vlan-group 3  4,5,7,8,100-102,109,110,200,201,240,241

firewall multiple-vlan-interfaces

firewall module 3 vlan-group 2,3

FWSM Module


interface Vlan7
interface Vlan8
interface Vlan100
interface Vlan107
interface Vlan109
interface Vlan110
interface Vlan150
interface Vlan200
description LAN Failover Interface
interface Vlan201
description STATE Failover Interface
interface Vlan240
interface Vlan241



context test-no-vrf
  allocate-interface Vlan240
  allocate-interface Vlan241
  config-url disk:/test-no-vrf.CFG

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
francisco_1 Mon, 02/22/2010 - 09:33

The FWSM does not support virtual routing. (VRF). To configure the FWSM for Virtualization, you gonna have create VRF on the MSFC instead and have different vlans on the MSFC in their own VRF. On the FWSM create you multiple Context and allocate the vlans to a context on the FWSM. Traffic between VRFs will transit the FWSM context associated with the local VRF, route through the switch MSFC  and traverse back through the FWSM context associated with the destination VRF.

hi! Just to confirm, about the question i asked abou the vlan-group. If i created a new test context with 3 vlans assigned to a new vlan-group, cab i apply rules that include my other live server which is of different vlans from the one i assigned my test context? (eg. allow only http from my other server segments to access the inside of my test context). What's the different of grouping them into one vlan-group and isolating my test context's vlan from my live server vlans? thx.


This Discussion